Anti-Spyware Coalition publishes spyware guidelines

The latest salvo in the ongoing war against worthless and dangerous spyware …

Our loyal readers are all too familiar with the terms spyware and adware. Whether it's because we're the ones who remove it from Uncle Sven's crusty old laptop, because it's in our job descriptions to keep a network secure, or because we've clicked through one license agreement too many and ended up spending a couple of hours cleaning our own systems, we're all familiar with the terms. But how do you describe spyware to a non-techie? More importantly, how can spyware be defined in terms so unambiguous that lawsuits, cease-and-desist orders, and the disapproving stare of the public's eye can be unleashed upon the makers of such crud? That's what the Anti-Spyware Coalition (ASC) aims to do, and to that end, it has now published official guidelines for defining spyware and its mean little sister, adware.

You may not have heard of the ASC before, and that's okay. Until now, the organization has stayed fairly low-key, except for releasing a draft of today's guidelines in October 2005 and asking for public comments. But this is no fly-by-night association of disgruntled hackers: members include content giants like AOL and Yahoo!, software makers and distributors like Microsoft (which qualifies under any label I can name, frankly) and CNet Download.com, security experts like McAfee and Symantec, and experts in the field like Lavasoft, makers of everyone's favorite spyware remover AdAware. It's a rather impressive grouping, and they have all signed off on the guidelines, so they come with a hefty mandate.

Okay, so what exactly was published today? The guidelines consist of five parts:

A set of definitions for various forms of spyware, illustrated with examples, and tagged with reasons why each practice should be considered a sign of spyware, as well as instances of how these practices could be used legitimately.

A glossary of terms, to eliminate confusion as to what the terms used in the spyware definitions are meant to signify.

Guidelines for the Vendor Dispute Resolution Process, outlining steps that companies accused of peddling spyware can follow to clear their good name, and get back on the straight and narrow.

Anti-Spyware Safety Tips, which is a set of guidelines for consumers to refer to, in order to help them protect their computer and the information stored therein.

The Risk Model Description builds on the other four documents, and categorizes various classes of spyware into threat levels—low, medium, or high—and consent levels one through three, with higher scores indicating greater user approval of the software's actions.

Having a clearly defined framework like this to fall back on will help the development of spyware removal tools, but it can also help increase Joe Q Public's awareness of the problem, and help him do something about it. In addition, pointing to the ASC Guidelines and shouting "Lawsuit!" or "Boycott!" should encourage some developers either to go clean and straight, or to admit that they're releasing spyware and then go away.

This isn't a silver bullet, of course: the spyware beast will survive, but it may have to get smarter now. The biggest plus the ASC brings to the table, I think, is that it isn't the US government. The Internet is global, and so are the coalition members. These are guidelines, not laws, and I think that's better because laws trying to control online behaviors, including software creation and distribution, are doomed to be unenforceable. Look at the guidelines like a spam filter; your computer won't be fully protected from crud buildup, but anything that cuts down on it is a welcome change.